New PCI Multifactor Authentication Rules: Is it Too Late?

May 26, 2016 | by Heidi Bleau

The PCI Security Council just extended its requirements for multi-factor authentication to anyone who has access to credit card data. These requirements, which comes on the heels of the European Parliament adopting its revised Directive on Payment Services (PSD2) late last year, require strong authentication for all Internet transactions. PSD2 also introduces strict security requirements for the initiation and processing of electronic payments and the protection of consumers' financial data.

One key change in PCI DSS 3.2 includes "multi-factor authentication as a requirement for any personnel with administrative access into environments handling card data." To offer some perspective, this requirement previously applied only to remote access from otherwise untrusted networks.

As these new changes to PCI DSS suggest, passwords alone simply do not pass muster in the online trenches of the Internet. Indeed, as observed by PCI Security Standards Council CTO Troy Leach, "A password alone should not be enough to verify the administrator's identity and grant access to sensitive information. We've seen an increase in attacks that circumvent a single point of failure, allowing criminals to access systems undetected and to compromise card data."

This change in PCI DSS 3.2 also has specific implications for multifactor authentication. According to Leach this change was made because although the majority of connections continue to be remote, breach investigations and conversations that the council had showed security could be better in local networks. This included the realization that because payment networks are distributed and rely mostly on single-factor administrative access leveraged to gain access to the card data environment, there is not enough of what Leach terms "administrative oversight" available in organizations where an additional element of control through strong authentication would not be a positive development.

So, why exactly did this additional requirement take so long and what are the implications for PCI DSS 3.2 particularly around mobile authentication? After all, we are well on our way to becoming a mobile world which means organizations will need to consider this as they add additional layers of security.

While it may seem like the PCI Council is playing catch up, it's just as true that all of the supporting infrastructure and virtual frameworks designed to satisfy those same standards have existed for quite some time. The only difference is that they are now required. Albeit some may think it is too late, look at it another way. If organizations were already doing it, it would not have to be mandated. Ultimately, it is a good thing for organizations and consumers alike.